Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: facebook

Blackhat Europe Keynote: Facebook Keynote

Facebook CSO (Max Kelly)

Axiom 11: That feature can be used in a way that you didn’t think of. Try and find out what it is.

Facebook key security values

  • We will diligently pursue attackers of any type
    • This could mean taking them to court, but also offering them a job
  • We will use all legal means available to identify attackers and their motives
  • We will use all legal resource, civil and criminal, to protect our users, protect ourselves, and preclude further attacks
  • In line with Facebook corporate values: we will respect the trust our users place in us, we will move fast and leverage our actions to high-order problems
  • We will work with the security community and will support and embrace white-hat efforts to assist us as we assist them

Axiom 23: Intelligence is king. Make ever user interaction give you some sort of intel. Then, build the tools to analyze it, Act on it.

Axiom 12: Compliance isn’t security. Put it off as long as you can. If you’re doing things right, it won’t be hard to codify. But, if you’re spending time on compliance too early, you’re getting pwned.

Vulnerabilities –> Threats –> Attacks –> Actors

“Without attacks, threats and vulnerabilities are fine” Max Kelly

  • Ignore the threats
    • They’re infinite
  • Known about threats, but be realistic
    • Are those internal firewalls really necessary?
  • Spend your time watching attacks
    • They will tell you everything
  • Target the actors
    • Destroy the ability for them to make money

Axiom 31: Ask your users for help. They want to.

SPAM Redefined

  • Classic spam (text, URLs)
  • Friend Requests
  • “creepers”
  • Chain Letters

SPAM Defense (automated defenses in real-time)

  • Rate Limiting
  • User Reports
  • Anomaly detection
  • Classifiers
    • String blocking
    • Account deletion
    • Machine learning

Typical Spam Attack on Facebook

First stage is for an attacker to identify a possible attack vector. Moving forward the attacker begins to collection accounts (either by hijacking accounts, phishing attacks or friending people who you want to spam). Program/purchase scripting software to spam users. Begin spamming. Follow the money!

Facebook responds to this by finding where/how you plan to make money. Where are you forwarding the user to. What is the end goal (malware, advertising, phishing, …)

Facebook actively attempts to disrupt attacks by seeding false phishing lists and tracking who uses the honey-accounts.

Facebook have a number of lawsuits lined up that they are following “at their leisure”

Axiom 66: Sometimes, ignore the rules. The bad guys do all the time.

For more information please see the Blackhat Europe website

Strange twitterings from the BBC

Earlier today I was catching up on some tidbits of world news from various sources when I stumbled across something that caught my eye. BBC World News offer a twitter feed of their latest headlines. I sometimes browse the list to see whats going on in the world and to reaffirm my opinion that we’re all doomed. Today however a specific article in the list caught my eye.

“It’s Time To Legalize Cannabis.”

This snippet of news, and the associated link didn’t really fit with the other news. For starters the capitalisation and use of the American spelling of legalize (legalise). There was also the fact that a majority of other news snippets started off with BBC Business News, whereas this didn’t. By using Twitters search function I could also see that the exact same tweet had been sent out on a regular basis for at least 10 days (possibly longer). The last thing that made me think this wasn’t really a tweet from BBC_News_World was the from label under the tweet


Whereas all other tweets come from Twitterfeed, these are the only ones that report to come from twitRobot. Very strange.

By pulling up the link on a test system the bit.ly link took me to a Facebook cause with the same title at the tweets posted through the BBC Twitter feed “It’s Time To Legalize Cannabis”.


By pulling up the bit.ly statistics I could see that this link had been actively used since the end of September and had been clicked over 665 times. It also showed the original creator of the link as a user called therealtwitter. This appears to be the name used when Twitter automatically shortens a URL in a post for the user. So no tracking information there unfortunately.


More detailed information can be found on the bit.ly info page for this link. Including breakdown of clicks by country and clicks by referrer. By looking at the referrer stats it’s evident that this bit.ly link is also being sent out through email and IM.

Although the Facebook cause at the end of the link appears benign at first appearance, it certainly warrants further investigation into why this link is spreading through the BBC Twitter feed (possibly without their knowledge). This cause could be something as simple as a person trying to drum up members for their cause. Then again it could just as easily be a phishing site designed to steal logon credentials, or perform attacks against the users browser. Further work is needed to see exactly whats behind this.

If I receive response regarding this I’ll certainly post a followup. Until then, watch out just incase.